Federating identity for the Web

User-centric innovations CardSpace and OpenID may finally bring the promise of federation within reach

Distributed organizations, such as universities, will also be early adopters because of their need to allow developers outside the traditional IT trust circle to authenticate users and retrieve attributes appropriately. In fact, authentication systems built for use in higher education, such as CAP (Common Authentication Project), are already being retrofitted with OpenID and CardSpace.

Many Web sites have already adopted these technologies, and this adoption is not limited to blog comments, rather it extends to authentication services for consumer-facing services. The key benefits are fast proving to be easier account management and the ability to avoid inventing yet another authentication scheme.

Near-term planning

During the next year, expect to see products from federation vendors that begin to capitalize on user-centric technologies. When they do, there will undoubtedly be projects in your organization that would benefit from putting the user in the middle of the transaction.

In the meantime, it's not too early to start exploring. You can use both OpenID and CardSpace now on a variety of sites on the Web. If you really want to get your hands dirty, good libraries and toolkits are available for CardSpace and OpenID. Identify a pilot project where user-centric identity would solve a sticky problem and dive in.

Understanding OpenID and CardSpace

User-centric identity, which puts users at the center of identity transactions, is fast capturing the attention of the Web-minded world. In fact, many traditional organizations are looking to blend user-centric technologies with traditional identity solutions in pursuit of federation.

Here's how user-centric identity works. Each transaction involves three actors: the user, the IdP (identity provider), and the RP (relying party). When the user needs to transact business with the RP, the RP asks for an identity credential. The user selects which credential to use and informs the credential-issuing IdP of the pending transaction. The IdP then sends a trustworthy message to the RP that the user is entitled to the credential he or she has selected.

Two technologies are at the forefront of this movement: CardSpace and OpenID. The two systems differ in their approach to the above steps, yet they share one critical aspect: Both carve out a central role for users in identity transactions and require the users to be actively involved whenever credentials are exchanged.


Developed and promoted by Microsoft, CardSpace differs from Microsoft's earlier identity efforts in that it is not a centralized identity product but is rather a protocol for building distributed identity systems. Microsoft offers products that implement CardSpace-compatible identity providers and relying parties, but so do other vendors.

CardSpace is a token-based system, meaning that the credentials are cryptographic messages that the IdP creates and the RP can verify. These tokens are created on the fly by the IdP at the request of the user and include a subset of the attributes contained in the parent credential.

The central feature of CardSpace is the identity selector. Just like your wallet, the selector allows you to pick the credential you would like to send to an RP. The CardSpace protocol limits the available credentials to those that meet the RP's requirements. For example, if the RP wants payment, nonpayment cards would be excluded and your selector would show only the credit cards you have stored.

The selector allows for two kinds of cards: self-issued and managed. Self-issued cards are useful for activities such as authenticating into a blog commenting system and similar low-risk transactions. Managed cards might include a credit card from your bank, an ID from your employer, or even an online version of your driver's license from your state government.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AOLBurton GroupCA TechnologiesFrance TelecomINSInteropLinuxMicrosoftMilestoneNovellPromiseProvisionProvisionRPS

Show Comments